tripleo

Upgrading undercloud from OSP12 to OSP13 fails when SSH directory SELinux contexts need correction

Bug #1767405 reported by Jose Luis Franco
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Jose Luis Franco
tripleo rocky-2

Bug Description

LP bug based on Bugzilla's https://bugzilla.redhat.com/show_bug.cgi?id=1572143

Description of problem:
During an undercloud upgrade from OSP12 to OSP13, instack-undercloud attempts to ensure SELinux contexts are correct on the stack user's SSH directory. If corrections are required, it attempts to execute semanage as the user running the 'openstack undercloud upgrade' command and not root. This fails with a permisson error.

Version-Release number of selected component (if applicable):
instack-undercloud-8.4.0-4

How reproducible:
Create a file with incorrect SELinux context in /home/stack/.ssh and attempt to upgrade an undercloud from Pike to Queens

Actual results:

The upgrade fails with a permission issue running semanage.

Expected results:

The SELinux context should be corrected automatically and the upgrade should succeed.

Additional info:

2018-04-26 08:51:45,091 ERROR: semanage failed: ValueError: SELinux policy is not managed or store cannot be accessed.

2018-04-26 08:51:45,093 DEBUG: An exception occurred
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 2336, in install
    _post_config(instack_env, upgrade)
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 2006, in _post_config
    _ensure_ssh_selinux_permission()
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 1667, in _ensure_ssh_selinux_permission
    _run_command(cmd)
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 642, in _run_command
    env=env).decode('utf-8')
  File "/usr/lib64/python2.7/subprocess.py", line 575, in check_output
    raise CalledProcessError(retcode, cmd, output=output)
CalledProcessError: Command '['semanage', 'fcontext', '-a', '-t', 'ssh_home_t', '/home/stack/.ssh(/.*)?']' returned non-zero exit status 1
2018-04-26 08:51:45,099 ERROR:
#############################################################################
Undercloud upgrade failed.

Reason: Command '['semanage', 'fcontext', '-a', '-t', 'ssh_home_t', '/home/stack/.ssh(/.*)?']' returned non-zero exit status 1

See the previous output for details about what went wrong. The full install
log can be found at /home/stack/.instack/install-undercloud.log.

#############################################################################

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to instack-undercloud (master)

Fix proposed to branch: master
Review: https://review.openstack.org/564804

Changed in tripleo:
status: Triaged → In Progress
Bogdan Dobrelya (bogdando)
Changed in tripleo:
importance: Undecided → High
tags: added: containers upgrade
tags: removed: containers
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to instack-undercloud (master)

Reviewed: https://review.openstack.org/564804
Committed: https://git.openstack.org/cgit/openstack/instack-undercloud/commit/?id=a96a0239cf36d2c51d18335ab1800bb73dc8e171
Submitter: Zuul
Branch: master

commit a96a0239cf36d2c51d18335ab1800bb73dc8e171
Author: Jose Luis Franco Arza <email address hidden>
Date: Fri Apr 27 17:18:09 2018 +0200

    Add sudo into instack's semanage call.

    When having a file with incorrect SELinux context
    in /home/stac/.ssh a permission error is displayed
    at the time of running semanage during Pike to
    Queens undercloud upgrade.

    Closes-Bug: #1767405
    Change-Id: I994917e491d6f8b4141a3c332c79ed8e8ce8e64c

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to instack-undercloud (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/565679

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to instack-undercloud (stable/queens)

Reviewed: https://review.openstack.org/565679
Committed: https://git.openstack.org/cgit/openstack/instack-undercloud/commit/?id=0b94f102704728071cf662ec5951075f429937b6
Submitter: Zuul
Branch: stable/queens

commit 0b94f102704728071cf662ec5951075f429937b6
Author: Jose Luis Franco Arza <email address hidden>
Date: Fri Apr 27 17:18:09 2018 +0200

    Add sudo into instack's semanage call.

    When having a file with incorrect SELinux context
    in /home/stac/.ssh a permission error is displayed
    at the time of running semanage during Pike to
    Queens undercloud upgrade.

    Closes-Bug: #1767405
    Change-Id: I994917e491d6f8b4141a3c332c79ed8e8ce8e64c
    (cherry picked from commit a96a0239cf36d2c51d18335ab1800bb73dc8e171)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/instack-undercloud 8.4.2

This issue was fixed in the openstack/instack-undercloud 8.4.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/instack-undercloud 9.1.0

This issue was fixed in the openstack/instack-undercloud 9.1.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.